Hardening against Spectre/Meltdown and compiling kernels [SOLVED]

Questions about applications and software
Forum rules
Before you post please read how to get help
Post Reply
User avatar
linx255
Level 5
Level 5
Posts: 675
Joined: Mon Mar 17, 2014 12:43 am

Hardening against Spectre/Meltdown and compiling kernels [SOLVED]

Post by linx255 » Mon Jul 16, 2018 4:33 am

Hi,

I've been reading all the documentation on hardening my system against Spectre / Meltdown and being quite overwhelmed, I'm timing out to formulate a sensible execution plan to fix this finally. Or if this ends up being out of my league, just wait until I get a newer machine and/or the next Mint release.

It seems my Mint 18 setup needs kernel version 4.4.0-116.

I'm not entirely clear on how to implement every available fix and have many questions since all the lingo in the Spectre/Meltdown wiki is Greek/GEEK to me. :)

Thank you very much!




1) Will compiling kernels become a regular chore for me?

I intend to test kernel 4.4.0-116 with Linux Mint 18 Mate 64. Will Mint 19 ship with an attack resistant kernel? When newer resistant hardware is available will that eliminate the need to custom compile the kernel?

For now it looks like, per my system specs, I need to compile with retpoline, so unfortunately it seems until I get a newer machine I'll need to compile my own kernels. If the case, then I'm a little concerned I'm getting in over my head and hoping I don't run into any snags and it's smooth and easy. Also, I'm guessing I'll need to recompile the kernel every time there's an update to it, so I'm hoping there's a way to, perhaps, receive e-mail alerts when new kernel updates are available? ( As opposed to constantly checking the website and hoping I didn't miss any updates. )


2) Compiling with retpoline and hardening userspace:

According to https://github.com/NixOS/nixpkgs/issues/34383 , I need "CONFIG_RETPOLINE enabled" ( is that a boot / kernel parameter / is there a difference? ) and a "compiler that supports -mindirect-branch=thunk-extern", which links to https://git.kernel.org/pub/scm/linux/ke ... 74b3ad147d , apparently some kind of retpoline compiler.

Assuming I have no problems setting the parameter, and I figure out what to do with all that code in that compiler, then I still need to apply retpoline to userspace, right? Is userspace hardening something that developer alone do or users too? I hear Mozilla has implemented retpoline in Firefox application. If there's something I need to do so that all applications are hardened what would that be? ( Just having retpoline-compiled kernel doesn't protect userspace, AFAIK. )


3) PCID/VM-related:

On https://wiki.ubuntu.com/SecurityTeam/Kn ... wn/TechFAQ what is meant by: "While PCID support was only included in the upstream 4.14 kernel, it has been backported along with the KPTI patchset as part of the kernel updates in the Meltdown USNs issued on Jan 9." Where does the 4.4.0-116 kernel stand regarding this feature?

On https://wiki.ubuntu.com/SecurityTeam/Kn ... wn/TechFAQ what is meant by: "Virtual machines can't use these optimisations unless the hypervisor exposes the CPU's PCID and INVPCID features. If the VM is running with an updated kernel, KPTI will still be active and the VMs will be secure, but they will experience seriously degraded performance until the hypervisor is updated to expose them." First, does this affect Docker or Virtualbox? Second, what is meant by 'updating' the hypervisor? Does that just mean whoever is maintaining the hypervisor packages has to release an update / patch?


4) Firmware-related:

Variant 2 requires firmware update. Will Mint handle firmware updates or should I install them from Intel? Also, can firmware update could trigger system instability or performance problems?


5) Kernel parameter-related:

Variant 4 requires booting with with spec_store_bypass_disable=seccomp kernel parameter to mitigate variant 4. Could this trigger instability or a performance hit? And how do I boot with this parameter? I searched for half an hour and couldn't find the solution. Do I simply add it to /boot/config-########-generic?


6) Testing kernel on a VM:

I read it may be beneficial to setup a VM for kernel testing; What VM application would be best suited for virtualizing Mint? I'm happy with VirtualBox but curious about KVM, if anyone has a preference. I need to know that my test is a reliable predictor of how the OS will work on the real system. With any luck the VM will talk to my hardware exactly the same as if a real machine!




Thanks

P.S.

I thought I'd attach Firmware installation instructions from Intel for everyone's convenience if you're attempting to fix spectre/meltdown as well:

Loading microcode using the initrd method is recommended so that the microcode is loaded at the earliest time for best coverage. Systems that cannot
tolerate downtime may use the late reload method to update a running system without a reboot.

To update early loading initrd, consult your Linux distributor on how to package microcode files for early loading. Some Linux distributions use
update-initramfs or dracut. As recommended above, please use the OS vendors are recommended method to ensure microcode file is updated for early
loading before attempting the late-load procedure below.

To update the intel-ucode package to the system, one need:
1. Ensure the existence of /sys/devices/system/cpu/microcode/reload
2. Copy intel-ucode directory to /lib/firmware, overwrite the files in
/lib/firmware/intel-ucode/
3. Write the reload interface to 1 to reload the microcode files, e.g.
echo 1 > /sys/devices/system/cpu/microcode/reload

If you are using the OS vendor method to update microcode, the above steps may have been done automatically during the update process.
-----

And here are instructions for compiling a kernel for your convenience ( and scrutiny-- please check for correctness ):
1) download kernel source file from kernel.org

2) sudo apt-get install git fakeroot build-essential ncurses-dev xz-utils libssl-dev bc flex libelf-dev bison

3) tar xvzf [kernel file]; cd [kernel dir]

4) open up current parameters from /boot/config-4#######-generic
what do all the parameters do?
can we disable bluetooth device? wireless device?
add 'CONFIG_RETPOLINE enabled' parameter?

5) use 'make menuconfig' with kernel file
how?

6) compile kernel via:
make modules_install
sudo make install
sudo update-initramfs -c -k [kernel version]
sudo update-grub
If you know of a better guide please let me know.
Last edited by linx255 on Mon Jul 16, 2018 10:31 pm, edited 3 times in total.
- I'm running Mint 18 Mate 64-bit
- 4.15.0-34-generic x86_64
- All my bash scripts begin with #!/bin/bash

User avatar
Moem
Level 16
Level 16
Posts: 6798
Joined: Tue Nov 17, 2015 9:14 am
Location: The Netherlands
Contact:

Re: Hardening against Spectre/Meltdown and compiling kernels

Post by Moem » Mon Jul 16, 2018 4:37 am

linx255 wrote:
Mon Jul 16, 2018 4:33 am
WILL COMPILING KERNELS BECOME A REGULAR CHORE FOR ME?
NO. *cough* Excuse me... I meant: No. :wink:
No, there is no need to do that. Just install the latest kernel in the 4.4 series, right from the Update Manager, and you'll have a patched kernel.
Image

If your issue is solved, kindly indicate that by editing the first post in the topic, and adding [SOLVED] to the title. Thanks!

User avatar
linx255
Level 5
Level 5
Posts: 675
Joined: Mon Mar 17, 2014 12:43 am

Re: Hardening against Spectre/Meltdown and compiling kernels

Post by linx255 » Mon Jul 16, 2018 6:04 am

Haha. You said "NO...I mean, no." like Madeline Kahn in the 1985 movie 'Clue' if you remember that. I failed to locate the clip. And sorry for the all caps was accidental, and now fixed.

I forgot what article I found that indicated I should use kernel version 4.4.0-116 ( perhaps one on Mint forum ), but if I'm not mistaken I think it did had to be that specific version, at least for my hardware. Or perhaps that was just the latest version at the time of writing and they were really just recommending the latest version as you are.

At any rate, my research indicated that due to my somewhat aged hardware my kernel would need to be compiled with retpoline and that there are numerous ways this all needs to be fixed and there is no one solution for all of it, as it's a very complex problem that varies with all kinds of hardware and software. You are saying that is no longer / never was the case, and the latest kernel takes care of everything? And by newest 4.4.0-* kernel do you mean 4.4.0-130 ?

I'm also confused as to why there are so many kernels to choose from and what the deciding factors are. I understand perhaps testing and stability issues are a part of it but other than that, in the dark. It's been awhile since I researched this and scratching my head as to why I didn't take notes. :( Would research now but up all night, now zzzzz...

Thank you again
- I'm running Mint 18 Mate 64-bit
- 4.15.0-34-generic x86_64
- All my bash scripts begin with #!/bin/bash

User avatar
Moem
Level 16
Level 16
Posts: 6798
Joined: Tue Nov 17, 2015 9:14 am
Location: The Netherlands
Contact:

Re: Hardening against Spectre/Meltdown and compiling kernels

Post by Moem » Mon Jul 16, 2018 6:16 am

linx255 wrote:
Mon Jul 16, 2018 6:04 am
I forgot what article I found that indicated I should use kernel version 4.4.0-116 ( perhaps one on Mint forum ), but if I'm not mistaken I think it did had to be that specific version, at least for my hardware. Or perhaps that was just the latest version at the time of writing and they were really just recommending the latest version as you are.
That sounds likely to me.
linx255 wrote:
Mon Jul 16, 2018 6:04 am
At any rate, my research indicated that due to my somewhat aged hardware my kernel would need to be compiled with retpoline and that there are numerous ways this all needs to be fixed and there is no one solution for all of it, as it's a very complex problem that varies with all kinds of hardware and software.
If I were you I'd just try it out. If it doesn't work, you can load the previously used, working kernel in GRUB and you are back where you were; if it does, hey ho, it was that easy after all and you are now done. No harm, no foul, right?
linx255 wrote:
Mon Jul 16, 2018 6:04 am
And by newest 4.4.0-* kernel do you mean 4.4.0-130 ?
Currently that seems to be the case, yes.
Image

If your issue is solved, kindly indicate that by editing the first post in the topic, and adding [SOLVED] to the title. Thanks!

rene
Level 8
Level 8
Posts: 2187
Joined: Sun Mar 27, 2016 6:58 pm

Re: Hardening against Spectre/Meltdown and compiling kernels

Post by rene » Mon Jul 16, 2018 7:40 am

linx255 wrote:
Mon Jul 16, 2018 4:33 am
I'm not entirely clear on how to implement every available fix and have many questions since all the lingo in the Spectre/Meltdown wiki is Greek/GEEK to me. :)
Which is probably (or hopefully...) to say that you are posting this in the context of a generic desktop install of Linux Mint rather than, say, in the context of administering a VM server farm.

As such, and do take this seriously, the first thing you need to do is to stop panicking. Meltdown is solved (as in, not just mitigated) by the KPTI kernel patches which are already present in every still supported 64-bit kernel available for Mint 17, 18 and 19, and the Spectre family of vulnerabilities is mitigated by same -- them being compiled with a retpoline-enabled compiler by Canonical -- as well as by already available and to Ubuntu/Mint users distributed microcode updates.

In answer to your 1 and half of your 2 then, no, there is no need to compile a custom kernel, the standard through Update Manager available kernels are all you need. Also, CONFIG_RETPOLINE is a kernel compile-time option and is enabled for those.

For the remainder of 2, userspace retpoline... what the retpoline mitigation does is replace potentially exploitable (but standard) machine-code sequences with non-exploitable ones. Is as such a compiler-based mitigation; you need a retpoline-enabled compiler so as to avoid the vulnerable sequences. In the case of distributions, the one to compile programs is generally the distribution itself. Kernels being relatively uniform across distributions have a relatively big attack surface and are as said compiled for/with retpoline already. I believe other large pieces of software such as Firefox-as-available-from-the-repositories are indeed also already protected by retpoline but wouldn't even be sure since ...

... note that spectre is extremely hard to exploit in the first place; important server farms could theoretically invite a determined attacker, an end-user desktop does not, and as far as I'm aware exploits of none of these issues have in fact been observed in the wild even for the former. That is, even though I don't believe large parts of userspace have as this point in time been retpoline-compiled you really can stop worrying; attack vectors are closed one by one but are so exceedingly tiny to begin with especially for an end user that you for now have to try REALLY hard to be more than conceptually affected by any of this. You are not in danger.

As to your 3; the source you quote is saying that PCID support has been integrated into the same kernels as mentioned above; all currently supported kernels, that is. Yes, the hypervisor bit is saying that while VM's are not vulnerable if you run an up-to-date kernel, they do experience slowdowns unless VirtualBox or KVM or what have you has also been updated to a version exposing PCID to the VM, yes, by Canonical/Mint and then you by simply installing the update.

The currently from the repositories available version of VB on Mint 18 appears to be https://launchpad.net/ubuntu/+source/vi ... u1.16.04.2. According to https://www.virtualbox.org/wiki/Changelog-5.1 PCID should seemingly be present in anything calling itself 5.1.34 but if I'm not mistaken, simply looking at /proc/cpuinfo inside of a VM is all the conformation you need: if "pcid" is included in "flags" there you're seemingly good to go. Slight disclaimer in the sense of me not being able to verify this beyond doubt at the moment; supposedly re-ask on the VB forums if you need more confirmation.

Your 4: bit careful with terminology here; it requires a microcode update and while that can, a, be considered to be CPU-firmware and, b, delivered as part of your BIOS, your system firmware, the fact that a to this issue unrelated "linux-firmware" package exists tends to confuse the issue. In Mint, you install/enable microcode updates for your CPU through Administration -> Driver Manager. It'll be updated alongside your regular updates if one is available.

No, you shouldn't install it manually from Intel and sure, definitely could cause instability and performance issues. And/or fix such.

Your 5: for a one-off method of setting a kernel parameter you can set it in/via grub; for a more permanent method you edit /etc/default/grub: https://wiki.ubuntu.com/Kernel/KernelBootParameters.

As to your 6, no opinion.

I'd myself by the way advise the current 4.15 kernel on Mint 18.3. You install other kernel series through Update Manager -> View -> Linux kernels.

User avatar
Pjotr
Level 20
Level 20
Posts: 10901
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: Hardening against Spectre/Meltdown and compiling kernels

Post by Pjotr » Mon Jul 16, 2018 7:52 am

rene wrote:
Mon Jul 16, 2018 7:40 am
I'd myself by the way advise the current 4.15 kernel on Mint 18.3.
Preferably not the current (known "bad apple" -24) but the latest but one (-23). :)
Tip: 10 things to do after installing Linux Mint 19 Tara
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

User avatar
linx255
Level 5
Level 5
Posts: 675
Joined: Mon Mar 17, 2014 12:43 am

Re: Hardening against Spectre/Meltdown and compiling kernels

Post by linx255 » Mon Jul 16, 2018 2:48 pm

That sounds likely to me.
I'm assuming you're referring to the last sentence of my quote.
If I were you I'd just try it out.
Right, however, I'm just here to ensure my plan of action makes sense before investing the time and energy. My experience warns of jumping into major changes without preparation, but apparently this is not as involved as I first thought.
Which is probably (or hopefully...) to say that you are posting this in the context of a generic desktop install of Linux Mint rather than, say, in the context of administering a VM server farm.
Correct.
stop panicking.
I don't panic, I just try to be diligent and learn.
Spectre family of vulnerabilities is mitigated by same -- them being compiled with a retpoline-enabled compiler by Canonical -- as well as by already available and to Ubuntu/Mint users distributed microcode updates.
Ah I see.
You are not in danger.
Ok, cool, yeah, that's part of what I'm trying to determine here.
Slight disclaimer in the sense of me not being able to verify this beyond doubt at the moment; supposedly re-ask on the VB forums if you need more confirmation.
I'm not super worried and as I'm far more likely to get smacked into on the road.
careful with terminology here; it requires a microcode update and while that can, a, be considered to be CPU-firmware and, b, delivered as part of your BIOS, your system firmware, the fact that a to this issue unrelated "linux-firmware" package exists tends to confuse the issue...
So to repeat back what I'm hearing, you're saying the microcode updates from Driver Manager write to the BIOS? Is this microcode is a drop-in replacement for Intel's own or an entirely different code for a different purpose?

Driver Manager says "Unknown. This device is using an alternative driver." What is selected is intel-microcode (open-source) version 3.20180425.1~ubuntu0.16.04.1 Processor microcode firmware for Intel CPUs. Firstly, there doesn't appear to be anything to update here. Secondly, is this microcode ( apparently written to my BIOS ) only good / useful for Linux? Does this, being a Ubuntu driver written to my BIOS, impact the system if other operating systems were to be installed? Not that I'll ever use Windows again. I'd just like to know to better understand what it is and also avoid screwing up folks' computers when switching OS'.
for a one-off method of setting a kernel parameter
But with the kernel and microcode updates I don't need to mess with this, right?
I'd myself by the way advise the current 4.15 kernel on Mint 18.3.
I have just Mint 18 and will switch to 19 as soon as time permits. What's the difference beetween 4.15 and 4.4? The versioning convention is strange: 4.10, 4.11, 4.13, 4.15, 4.4, 4.8. Reminds me of 'How B!ll G@te$ counts to 10': 1, 2, 3, 95, 98, NT, 2000, XP, Vista, 7, 8, 10.
Preferably not the current (known "bad apple" -24) but the latest but one (-23).
Thanks! I'd have never have known! What's the best source of that kind of info?
Last edited by linx255 on Tue Jul 17, 2018 2:38 am, edited 1 time in total.
- I'm running Mint 18 Mate 64-bit
- 4.15.0-34-generic x86_64
- All my bash scripts begin with #!/bin/bash

User avatar
Moem
Level 16
Level 16
Posts: 6798
Joined: Tue Nov 17, 2015 9:14 am
Location: The Netherlands
Contact:

Re: Hardening against Spectre/Meltdown and compiling kernels

Post by Moem » Mon Jul 16, 2018 3:04 pm

linx255 wrote:
Mon Jul 16, 2018 2:48 pm
That sounds likely to me.
I'm assuming you're referring to the last sentence of my quote.
That's right, I was.
linx255 wrote:
Mon Jul 16, 2018 2:48 pm
If I were you I'd just try it out.
Right, however, I'm just here to ensure my plan of action makes sense before investing the time and energy. My experience warns of jumping into major changes without preparation, but apparently this is not as involved as I first thought.
I agree: it's not very involved at all. A kernel upgrade is easy, quick and normally painless, and if it turns out that the newer kernel doesn't suit, you can go back to the previous one.
If all goes well, we're talking about less than five minutes of your time. If not, another five and you're back where you started.
Image

If your issue is solved, kindly indicate that by editing the first post in the topic, and adding [SOLVED] to the title. Thanks!

User avatar
karlchen
Level 19
Level 19
Posts: 9336
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: Hardening against Spectre/Meltdown and compiling kernels

Post by karlchen » Mon Jul 16, 2018 3:26 pm

Hello, linx255.
linx255 wrote:
Mon Jul 16, 2018 2:48 pm
What's the difference beetween 4.15 and 4.4?
Kernel series 4.4.0 has been introduced by Ubuntu 16.04 (Mint 18.x) as the LTS kernel series, which will be supported for the complete 5 years, during which Ubuntu 16.04 will be supported. (April 2016 - April 2021)

Kernel series 4.15.0 has been introduced by Ubuntu 18.04 (Mint 19.x) as the LTS kernel series, which will be supported for the complete 5 years, during which Ubuntu 18.04 will be supported. (April 2018 - April 2023)

As soon as Ubuntu 18.04 SP1 will be released (July/August), kernel series 4.15.0 will be officially backported to Ubuntu 16.04 (Mint 18.x) as well, including the corresponding HWE stack (hardware enablement stack), and will be supported on Ubuntu 16.04 (Mint 18.x) till April 2021, then EOL for Ubuntu 16.04 (Mint 18.x) - Currently kernel series 4.15.0 Ubuntu 16.04 could be considered as "early preview". Cf. bottom of this Ubuntu kernel overview.

In case you wish to learn details about the technical differences between kernel series 4.4.0 and 4.15.0, I am afraid I will have to point you to the kernel changelogs. :wink:

linx255 wrote:
Mon Jul 16, 2018 2:48 pm
The versioning convention is strange: 4.10, 4.11, 4.13, 4.15, 4.4, 4.8.
This only looks to you strange, because you did not enumerate the kernels in the right ascending order:
+ 4.4
+ 4.8
+ 4.10
+ 4.11
+ 4.13
+ 4.15
The different sort orders are brought about by purely alphabetic sorting vs natural sort order. The first sort order depends on ASCII values of each character in the version strings only, whereas natural sort order permits to take the numbers as numbers and sort them by their numerical values.
Anyway, independent of the display order, you can be assured that the kernel series have been developed and published in the order from 4.4 to 4.15, which you can read above.

Cheers,
Karl
Image
Linux Mint 18.1 64-bit Cinnamon Desktop, Total Commander 9.21a 64-bit
Ubuntu 18.04.1 32-bit Mate Desktop, Total Commander 9.21a 32-bit
Windows? - 1 window in every room

rene
Level 8
Level 8
Posts: 2187
Joined: Sun Mar 27, 2016 6:58 pm

Re: Hardening against Spectre/Meltdown and compiling kernels

Post by rene » Mon Jul 16, 2018 3:46 pm

linx255 wrote:
Mon Jul 16, 2018 2:48 pm
So to repeat back what I'm hearing, you're saying the microcode updates from Driver Manager write to the BIOS?
No. It's just that embedding CPU microcode in a mainboard BIOS update, with that BIOS itself taking care of uploading it to the CPU at power-on initialisation, is the standard, originally intended manner of getting newer CPU microcode delivered to you. As such, if a new and post-spectre BIOS were available for your MB then it'd take care of getting the new microcode loaded without you/the operating system needing to do anything.

MB vendors however generally don't ship BIOS updates for anything but the newest one or few generations of boards; seeing as how you mentioned to be on older hardware you'll unlikely have a BIOS update available to you and will "have" to upload the microcode to the CPU with help of the OS. Both Windows and Linux can do this; what they upload is the very same microcode as available from in this case Intel and what is shipped embedded in the BIOS and BIOS-updates for new(er) boards.

So no, the microcode is not written to the BIOS; it just resides on your disk and is, when enabled, uploaded to the CPU on each (cold) boot by the OS similarly as to how it would be uploaded to the CPU on each (cold) boot by the BIOS had said BIOS been new enough to have shipped embedding it.

The microcode version you mention, 20180425, is indeed the at the moment newest through Ubuntu/Mint available microcode package. As long as you have it rather than "Do not update the CPU microcode" selected you are using it. The driver manager switch is the on/off switch: when enabled, newer versions of the microcode package will be delivered to you alongside all other normal updates.

One of which, I note, is likely to be delivered to you soon-ish: Intel has newer 20180703 microcode available at https://downloadcenter.intel.com/downlo ... -Data-File which will after (more) testing by Canonical/Mint trickle down to us. Which is then also to say that you should not be tempted to install it manually: it'll get to you in due course.

And once again explicitly then: no, no permanent changes are made to your system by enabling/loading microcode; the OS-side microcode driver uploads newer microcode than already available on the CPU itself simply at each boot, both with OS=Linux and OS=Windows.
But with the kernel and microcode updates I don't need to mess with [the spec_store_bypass_disable kernel parameter]?
If you insist on that specific mitigation, then yes, you do: https://wiki.ubuntu.com/SecurityTeam/Kn ... e/Variant4. But note from that URL that it is of course not enabled by default with reason: "In Ubuntu, SSBD is OFF by default because it is not needed by most programs and carries a notable performance impact". YMMV but I have myself been ever since this hooplala started more interested in ways of disabling mitigations, seeing as how I have little use for real slowdowns to defend against conceptual threats...
What's the difference beetween 4.15 and 4.4?
.11
The versioning convention is strange: 4.10, 4.11, 4.13, 4.15, 4.4, 4.8.
No such convention I'm afraid. Of the kernel series you name 4.4 is oldest and the kernel series that Mint 18 originally shipped with. The 4.5, 4.6 and 4.7 kernel series were then not selected by Ubuntu as series it supports for Ubuntu 16.04/Mint 18, meaning our next available series is the 4.8 series. Same for 4.9 being skipped, 4.10 adopted and so on.

User avatar
karlchen
Level 19
Level 19
Posts: 9336
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: Hardening against Spectre/Meltdown and compiling kernels

Post by karlchen » Mon Jul 16, 2018 4:11 pm

Hello, rene.
rene wrote:
Mon Jul 16, 2018 3:46 pm
No such convention I'm afraid. Of the kernel series you name 4.4 is oldest and the kernel series that Mint 18 originally shipped with. The 4.5, 4.6 and 4.7 kernel series were then not selected by Ubuntu as series it supports for Ubuntu 16.04/Mint 18, meaning our next available series is the 4.8 series. Same for 4.9 being skipped, 4.10 adopted and so on.
Have you ever bothered to look at the Ubuntu supported kernel graph here? Ubuntu Kernel Support
Ubuntu's kernel support schema is neither strange, nor random. But it definitely exists. And kernel series 4.8 and 4.9 e.g. are not a part of it. (4.9 never was and 4.8 no longer is.)
Image
Linux Mint 18.1 64-bit Cinnamon Desktop, Total Commander 9.21a 64-bit
Ubuntu 18.04.1 32-bit Mate Desktop, Total Commander 9.21a 32-bit
Windows? - 1 window in every room

rene
Level 8
Level 8
Posts: 2187
Joined: Sun Mar 27, 2016 6:58 pm

Re: Hardening against Spectre/Meltdown and compiling kernels

Post by rene » Mon Jul 16, 2018 4:50 pm

karlchen wrote:
Mon Jul 16, 2018 4:11 pm
Ubuntu's kernel support schema is neither strange, nor random. But it definitely exists. And kernel series 4.8 and 4.9 e.g. are not a part of it.
Unsure what you are responding to; I believe you may have misread me: I find Ubuntu's kernel support schedule strange nor random. What I was explaining to OP is, first, that 4.4 < 4.8 < 4.10 and so on (as you also already did) and that, second, the "missing" point releases in between do exist upstream, just not in Update Manager.

In Update manager on 18.3 currently kernels from series 4.4, 4.8, 4.10, 4.11, 4.13 and 4.15 are available. Of these only 4.11 is not mentioned in the context of 16.04.x on the schedule you linked to. Not sure why kernels from that series are still available then but also don't care; I was merely referring to what was ("officially") supported in that sense, being available to us.

User avatar
karlchen
Level 19
Level 19
Posts: 9336
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: Hardening against Spectre/Meltdown and compiling kernels

Post by karlchen » Mon Jul 16, 2018 4:57 pm

Hello, rene.

If you inspect the Ubuntu kernel support graph, your will doubtlessly easily find out that Ubuntu does not use each and every kernel, which Linus Torvalds's team publishes.
The kernel versions which are available on Ubuntu are they kernel versions which the Linux Mint Update Manager will offer to Linux Mint users. This applies to the Ubuntu based Mint releases 17.x, 18.x and 19.
At this point in time only the following kernel series are (still) supported on Ubuntu 16.04 (Mint 18.x):
+ 4.4.0
+ 4.13.0
+ 4.15.0 (early preview)
On Ubuntu 18.04 (Mint 19) only kernel series 4.15.0 is currently supported.

If I remember correctly, kernel series 4.11 stopped being supported earlier than initially planned, when Ubuntu had to make sure their supported kernel series all got the available patches against Spectre and Meltdown.

Regards,
Karl
Image
Linux Mint 18.1 64-bit Cinnamon Desktop, Total Commander 9.21a 64-bit
Ubuntu 18.04.1 32-bit Mate Desktop, Total Commander 9.21a 32-bit
Windows? - 1 window in every room

rene
Level 8
Level 8
Posts: 2187
Joined: Sun Mar 27, 2016 6:58 pm

Re: Hardening against Spectre/Meltdown and compiling kernels

Post by rene » Mon Jul 16, 2018 5:00 pm

karlchen wrote:
Mon Jul 16, 2018 4:57 pm
If you inspect the Ubuntu kernel support graph, your will doubtlessly easily find out that Ubuntu does not use each and every kernel, which Linus Torvalds's team publishes.
Yes, I know, that is what I explained to OP. I will leave this sub-thread be: OP wil have no doubt gotten the point.

User avatar
karlchen
Level 19
Level 19
Posts: 9336
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: Hardening against Spectre/Meltdown and compiling kernels

Post by karlchen » Mon Jul 16, 2018 5:15 pm

Agreed, it is not really relevant whether you and me just misunderstood each other's posts consistently. :wink:
Image
Linux Mint 18.1 64-bit Cinnamon Desktop, Total Commander 9.21a 64-bit
Ubuntu 18.04.1 32-bit Mate Desktop, Total Commander 9.21a 32-bit
Windows? - 1 window in every room

User avatar
linx255
Level 5
Level 5
Posts: 675
Joined: Mon Mar 17, 2014 12:43 am

Re: Hardening against Spectre/Meltdown and compiling kernels

Post by linx255 » Mon Jul 16, 2018 10:30 pm

So no, the microcode is not written to the BIOS; it just resides on your disk and is, when enabled, uploaded to the CPU on each (cold) boot by the OS similarly as to how it would be uploaded to the CPU on each (cold) boot by the BIOS had said BIOS been new enough to have shipped embedding it.
Makes sense now
seeing as how I have little use for real slowdowns to defend against conceptual threats...
Ok, skipping this one.
.11
Or is it -0.25? :)
OP wil have no doubt gotten the point.
And I did. Solved, thanks!
- I'm running Mint 18 Mate 64-bit
- 4.15.0-34-generic x86_64
- All my bash scripts begin with #!/bin/bash

User avatar
linx255
Level 5
Level 5
Posts: 675
Joined: Mon Mar 17, 2014 12:43 am

Re: Hardening against Spectre/Meltdown and compiling kernels [SOLVED]

Post by linx255 » Wed Jul 18, 2018 8:15 pm

One more quick question: where is the announcement page for Ubuntu releases? Have scoured web to no avail. There doesn't seem to be anything useful on Ubuntu main page or blog nor the 'Releases' wiki, and no mention of release of subversions ( 18.0.4.1, etc. ). It would be nice if there was a link with such announcements, like Linux Mint has. Thank you
- I'm running Mint 18 Mate 64-bit
- 4.15.0-34-generic x86_64
- All my bash scripts begin with #!/bin/bash

Post Reply

Return to “Software & Applications”